The article “Using OpenSSL to Strengthen the Security of Your z/VSE Environment and Communications” provided an overview of OpenSSL, how it was ported to z/VSE and how it’s exploited by the IPv6/VSe product from Barnard Software Inc. Here we discuss a special security flaw in the SHA-1 hash algorithm and show how Transport Layer Security (TLS) Version 1.2 overcomes this problem. It also examines how TLSv1.2 can be used in a z/VSE environment using OpenSSL.

A hash function is a mathematical function that maps input data of almost any length to a fixed-length binary string. It’s important that this mapping is a one-way mapping; for example, there’s no way of reconstructing the original data from a given hash value, except systematically trying all kinds of input. Another important characteristic is that it’s very unlikely to find two different input strings with the same hash value. Therefore, hash values are often used to uniquely identify data and are sometimes also referred to as “message digests” or “fingerprints.” You can find more information about secure hash functions here.

There are two specific hash functions: SHA-1 and SHA-256. SHA stands for Secure Hash Algorithm.

SHA-1 was developed and published in the mid-90s by the U.S. National Security Agency (NSA). SHA-1 accepts any input data up to 264 bits (approximately 2 exabytes). This is a huge number, which, for example, would be equivalent to about 500,000 tape cartridges with a capacity of 4TB each. The hash value is always exactly 20 bytes long.

SHA-256 belongs to the family of SHA-2 algorithms that includes SHA-224, SHA-256, SHA-384 and SHA-512. It was published in 2001 by the U.S. National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-256 accepts input data up to 2128 bits. The hash value always consists of exactly 32 bytes.

The Use of Hash Functions in the IT Industry
Before we discuss which hash function to use in your IT environment, here are some examples of how hash functions are used in computer environments:

• Storing the hash value of passwords. Almost every computer system provides logon security. Users type in their password when they sign on to the system. As passwords should never be stored in clear text in a computer system, they’re often stored as their hash values. When a password is entered on a terminal, its hash value is calculated and compared to the stored password hash for this user. Due to the nature of hash functions, it isn’t feasible to reversely calculate the password from a given hash.

• Ensuring data integrity. The stored hash value of a document or data backup can be used for detecting document modifications. The smallest change to a document will result in a completely different hash value. And by nature, it isn’t feasible to, for example, get back to the original hash value by adding further document modifications.

• Securing network connections. In Secure Sockets Layer (SSL)/TLS connections, the data sent over the line is hashed. This allows anyone who intercepts the connection to detect any data modifications.